From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 29 May 2021 13:56:22 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.271~124
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=171bcfb9e19557b55ddd1eda7950751d5efff551;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
---

diff --git a/queue-4.9/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch b/queue-4.9/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
new file mode 100644
index 00000000000..f08d140fda5
--- /dev/null
+++ b/queue-4.9/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
@@ -0,0 +1,60 @@
+From a421d218603ffa822a0b8045055c03eae394a7eb Mon Sep 17 00:00:00 2001
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Date: Wed, 19 May 2021 12:54:51 -0400
+Subject: NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+commit a421d218603ffa822a0b8045055c03eae394a7eb upstream.
+
+Commit de144ff4234f changes _pnfs_return_layout() to call
+pnfs_mark_matching_lsegs_return() passing NULL as the struct
+pnfs_layout_range argument. Unfortunately,
+pnfs_mark_matching_lsegs_return() doesn't check if we have a value here
+before dereferencing it, causing an oops.
+
+I'm able to hit this crash consistently when running connectathon basic
+tests on NFS v4.1/v4.2 against Ontap.
+
+Fixes: de144ff4234f ("NFSv4: Don't discard segments marked for return in _pnfs_return_layout()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pnfs.c |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1070,6 +1070,11 @@ _pnfs_return_layout(struct inode *ino)
+ {
+ 	struct pnfs_layout_hdr *lo = NULL;
+ 	struct nfs_inode *nfsi = NFS_I(ino);
++	struct pnfs_layout_range range = {
++		.iomode		= IOMODE_ANY,
++		.offset		= 0,
++		.length		= NFS4_MAX_UINT64,
++	};
+ 	LIST_HEAD(tmp_list);
+ 	nfs4_stateid stateid;
+ 	int status = 0, empty;
+@@ -1088,16 +1093,10 @@ _pnfs_return_layout(struct inode *ino)
+ 	pnfs_get_layout_hdr(lo);
+ 	empty = list_empty(&lo->plh_segs);
+ 	pnfs_clear_layoutcommit(ino, &tmp_list);
+-	pnfs_mark_matching_lsegs_return(lo, &tmp_list, NULL, 0);
++	pnfs_mark_matching_lsegs_return(lo, &tmp_list, &range, 0);
+ 
+-	if (NFS_SERVER(ino)->pnfs_curr_ld->return_range) {
+-		struct pnfs_layout_range range = {
+-			.iomode		= IOMODE_ANY,
+-			.offset		= 0,
+-			.length		= NFS4_MAX_UINT64,
+-		};
++	if (NFS_SERVER(ino)->pnfs_curr_ld->return_range)
+ 		NFS_SERVER(ino)->pnfs_curr_ld->return_range(lo, &range);
+-	}
+ 
+ 	/* Don't send a LAYOUTRETURN if list was initially empty */
+ 	if (empty) {
diff --git a/queue-4.9/series b/queue-4.9/series
index c40e129a773..5f3d9506a5d 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -3,3 +3,4 @@ tweewide-fix-most-shebang-lines.patch
 scripts-switch-explicitly-to-python-3.patch
 netfilter-x_tables-use-correct-memory-barriers.patch
 nfc-nci-fix-memory-leak-in-nci_allocate_device.patch
+nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch